Техническая информация
- <SYSTEM32>\tasks\foox
- %TEMP%\rarsfx0\postbox.exe
- %TEMP%\rarsfx0\explore.exe
- %TEMP%\rarsfx0\niihjhjbvctyhhfhhjhdbfjdhfjhdjfhjhjgg.vbs
- %TEMP%\dup2patcher.dll
- %TEMP%\bassmod.dll
- %TEMP%\64f4ea4c8142cac73e06647d59a699d1.dll
- %TEMP%\berlin sans fb.ttf
- 'ta###grdev.com':80
- 'ha###.mine.nu':7000
- http://ta###grdev.com/b/Lsfcncb.png
- 'ha###.mine.nu':7000
- DNS ASK ta###grdev.com
- DNS ASK ha###.mine.nu
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\RarSFX0\niihjhjbvctyhhfhhjhdbfjdhfjhdjfhjhjgg.vbs"
- '%TEMP%\rarsfx0\postbox.exe'
- '%TEMP%\rarsfx0\explore.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==' (со скрытым окном)
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 5 /tn FOOX /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load((Get-ItemProperty HKCU:\Software\FOOX\).FOOX...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 5 /tn FOOX /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load((Get-ItemProperty HKCU:\Software\FOOX\).FOOX...